By Arun Kumar Shrivastav
The right to privacy in the time of the internet boom is difficult to enforce. But governments around the world are working to reverse this and restore control in the hands of users. Between tech companies and governments, there is a rush to take control of the huge amount of data being generated. It’s said that data is the new gold, the new oil. It is the foundation of a new economy. Given this, the new data protection bill being considered by the Indian government is attracting a great deal of attention from the relevant circles.
The Ministry of Electronics & Information Technology (MEITY) has released a draft of “The Digital Personal Data Protection Bill 2022” and has sought suggestions and comments from Indian citizens till December 17. “The Digital Personal Data Protection Bill is a legislation that frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other hand,” MEITY said in a statement while introducing the bill.
The personal data protection bill 2019 which the government withdrew in early 2022 generated a lot of interest and conflicting viewpoints from industry stakeholders and policy experts. While withdrawing the bill, the government promised a revised and updated bill soon.
Personal data has been a sensitive issue. Big tech companies are collecting and storing huge amounts of personal data and leveraging it for their growth. Data principals (users whose data is being used) and the governments have not been quite comfortable with this state of affairs. They are particularly upset with the prospect of these companies selling personal data to third parties. In recent Indian elections, it came to notice that some political parties used foreign-based big data analytics companies. They were able to provide caste, age, income, and gender-based analytics to be used by political parties for electoral advantages.
What is worrisome in these cases is that the data principals do not know how their personal information is being traded and used. For the government, it’s equally embarrassing that it has no control over how personal data from the country is getting stored in servers outside India and owned by big tech companies who make billions of dollars by trading the data.
To set the anomalies right, the government moved to enact personal data legislation through a bill in 2019 that ended with the government withdrawing it early this year. The reason why the government withdrew the bill was the enormous amount of changes suggested to the original bill by the joint parliamentary committee. The bill was originally mooted in 2018 and introduced in parliament in 2019. Amid protests from the opposition, it was sent to a joint parliamentary committee to consider all the viewpoints and recommend suitable changes.
In the previous personal data protection bill, the government had brought data generated by both online and offline methods under the ambit of the bill. The new bill excludes manual data collection from its purview. That makes The Digital Personal Data Protection Bill 2022 deal with only digital data. It’s now geared toward identifying issues related to the digital identity of a person and addressing its safety, privacy, and control.
In the earlier attempt, the government had proposed a strict mechanism to ensure that personal and sensitive data are stored in the servers within the country. Tech companies had protested this restriction and argued that logistically it was unfeasible. It also sounded offbeat for Indian startups who were dealing with similar data from overseas clients. In the latest bill, the government has eased this provision and proposed to allow a cross-border flow of data to “trusted” jurisdictions. Companies of significant size are also required to appoint data protection officers and data auditors to ensure compliance with the law.
For the storage of sensitive data that pertained to the country’s sovereignty, security, and integrity within the country, tech companies had practically no objections.
Another aspect of the previous bill that caused a great deal of resentment, particularly among media persons and rights activists was the exemptions being given to government agencies. They were supposed to have free access to personal data as a breach of protections provisions were covered by legal exemptions provided in the bill. By and large, this provision continues in the new bill but instead of the all-powerful Data Protection Authority, the new bill allows the central government to set up Data Protection Board. It will also have the authority to mandate government agencies to access personal data and provide exemptions to them or a company or a friendly nation.
Data fiduciaries who breach the provisions under the digital personal data protection bill will be liable for graded punishment ranging from Rs 50 crore to Rs 500 crore. Consumers who file false complaints can be fined up to Rs 10,000. The number of clauses in the current bill has been brought down from 90 to 30 which promises a more simplified interpretation and enforcement of data protection law. (IPA Service)